Microsoft's Azure Key Vault is becoming an increasingly popular resource for securing credentials particularly for Event Hub and other Azure cloud services. The “Secrets Management” feature of AKV is used for storing the NaCl private key used by Connect CDC SQData. See the official introduction to AKV at https://docs.microsoft.com/en-us/azure/key-vault/general/overview.
Once the NaCL key pair has been generated by %PREFIX%>UTIL , the contents of the private key file, id_nacl can be stored as a "secret" using either Microsoft's Azure Portal import process or the Azure CLI.
Syntax:
az keyvault secret set --vault-name "<your-unique-keyvault-name>" --name "id_nacl" --value "L68x1APsG4Bhhv+gG4CYP3IdsSUX3fNSQ030RUy0T5I="
Once the NaCL Private pair has been secured in the AKV it will be referenced as required by Connect CDC SQData components using the existing method for specifying non-default identity locations:
--identity=azkv://<vault-name>.vault.azure.net/secrets/<secret_name>
Parameter | Description |
---|---|
secret_name |
While any name can be used for the secret, using ïd_nacl" or when several different NaCL private keys are to be stored in the AKV, a naming standard that relates to a host or application name concatenated with id_nacl may be appropriate. |
- Azure Key Vault (AKV) based secrets in Connect CDC SQData are supported only on Linux platforms.
- AKV requires an Azure Active Directory (AAD) token to be presented to retrieve secrets. SQData retrieves AAD tokens from Azure differently when running on on-prem Linux machines and when running on Azure Linux VM.
- When running on-prem, to retrieve AAD, tenant_id, client_id and client_secret have to be specified in the sqdata_cloud.conf file located in the working directory.
- When running on Azure VM, AAD will retrieved from managed identity. Two types of managed identities are supported:
- If client_id is specified in sqdata_cloud.conf file, then AAD token is retrieved from user managed identity
- If none of tenant_id, client_id and client_secret is specified, then AAD token is retrieved from system managed identity.
- An example sqdata_cloud.conf file:
[azkv] tenant_id=f0h2842c-8394-4tcu-bb4r-e7745dc73b3b client_id=73495b95-9d73-4973-8318-caf355b10f54 client_secret=~WlkC~4QsdQFLg0XyEeb0923_23MpRWsC~.